[Medium] patch python-requests for CVE-2024-47081 (#14022)

Author: jykanase

SPECS/python-requests/CVE-2024-47081.patch

@@ -0,0 +1,31 @@
+From f39e5f610545a89aadbc714cb9cc2071781b1d02 Mon Sep 17 00:00:00 2001
+From: jykanase <[email protected]>
+Date: Tue, 17 Jun 2025 05:20:20 +0000
+Subject: [PATCH] CVE-2024-47081
+
+Upstream Patch Reference: https://github.com/psf/requests/commit/96ba401c1296ab1dda74a2365ef36d88f7d144ef
+---
+ requests/utils.py | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+diff --git a/requests/utils.py b/requests/utils.py
+index 153776c..cb9d01d 100644
+--- a/requests/utils.py
++++ b/requests/utils.py
+@@ -209,12 +209,7 @@ def get_netrc_auth(url, raise_errors=False):
+ 
+         ri = urlparse(url)
+ 
+-        # Strip port numbers from netloc. This weird `if...encode`` dance is
+-        # used for Python 3.2, which doesn't support unicode literals.
+-        splitstr = b':'
+-        if isinstance(url, str):
+-            splitstr = splitstr.decode('ascii')
+-        host = ri.netloc.split(splitstr)[0]
++        host = ri.hostname
+ 
+         try:
+             _netrc = netrc(netrc_path).authenticators(host)
+-- 
+2.45.2
+

SPECS/python-requests/python-requests.spec

@@ -1,7 +1,7 @@
 Summary:        Awesome Python HTTP Library That's Actually Usable
 Name:           python-requests
 Version:        2.27.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ URL:            http://python-requests.org
 Source0:        https://github.com/requests/requests/archive/v%{version}/requests-v%{version}.tar.gz#/requests-%{version}.tar.gz
 Patch0:         CVE-2023-32681.patch
 Patch1:         CVE-2024-35195.patch
+Patch2:         CVE-2024-47081.patch
 BuildArch:      noarch
 
 %description
@@ -73,6 +74,9 @@ LANG=en_US.UTF-8 tox -e py%{python3_version_nodots}
 %{python3_sitelib}/*
 
 %changelog
+* Tue Jun 17 2025 Jyoti Kanase <[email protected]> - 2.27.1-8
+- Add patch for CVE-2024-47081
+
 * Tue May 28 2024 Lanze Liu <[email protected]> - 2.27.1-7
 - Add patch for CVE-2024-35195